Welcome to “The Cyber Security Loop" - News Bites #7

Ho Ho Ho! This is the last Cyber Security News Bites for this year, so season greetings to you all and a joyous Christmas break!

CyberCon in Melbourne last week was a blast. There were over 400+ talks from great speakers, including yours truly, who talked about the “Hamster Wheel of death of third-party audits”! If you missed it, I’ve put a link below where you can view my slides and other GRC-related giveaways.

https://cyooda.com/grcresources/

In other security news:

1. The Australian Government recently passed the long awaited Data Privacy Reforms and the new Cyber Security Act.? Part of these reforms include mandatory reporting of ransomware payments and civil penalties for non-compliance.
2. Australia and the United Kingdom will join forces to combat phone scams, spam and unsolicited calls under a new agreement signed by the two countries’ communications regulators.Consumer losses reported to Scamwatch due to scam calls and SMS are AUD83 million so far this year.
3. Two UK Hospitals hit by cyberattacks resulting in delays to procedures for patients.Alder Hey Children’s Hospital said it was investigating claims that its systems may have been breached and that patient records and other information was stolen.
4. A cyber attack, confirmed as being?ransomware, against the AI-driven supply chain platform Blue Yonder is having a broader impacts on both sides of the pond: Starbucks in the U.S. is said to be affected as as at least two of the big four U.K. retail supermarket chains.
5. Russian state-sponsored threat group called RomCom, launch a cyber attack chaining two zero-day security vulnerabilities together, one with a severity rating of 9.8 and the other 8.8.? The cyber attack, using these previously unknown security vulnerabilities, exploited both the Mozilla Firefox web browser and Windows itself in order to install a backdoor capable of executing commands and downloading further malware onto the target computer.

Tip

Mitigate Phishing and Business Email Compromise (BEC)

Did you know that Business Email Compromise costs businesses more than Ransomware at over $43 billion globally between 2016 and 2021, according to the FBI. If you believe the stats, that means BEC costs more than ransomware (the industry “boogeyman”) by a factor of nearly 79 times.

SMBs and law firms are prime targets due to their valuable client data and often limited cybersecurity resources.        

Practical steps to mitigate risks:

1. Train your team: Regularly educate employees about phishing tactics, from fake invoice schemes to spoofed executive emails.
2. Enable email authentication protocols: Use SPF, DKIM, and DMARC to prevent email spoofing.
3. Verify all unusual requests: Especially those involving wire transfers or sensitive client information.
4. Use MFA (Multi-Factor Authentication): Make MFA mandatory for email and key applications.
5. Monitor User Behaviour:? Regularly check your M365 logs and other email logs to monitor for unusual login requests and changes to inbox rules.

Remember, phishing often relies on human error—education and vigilance are your best defences.

Tool

Managing third-party risk is crucial for SMBs and law firms, which often rely on external vendors for IT services, document management, and cloud solutions. A single vulnerability in a third-party vendor’s system can expose sensitive client data or disrupt operations. SecurityScorecard, a leading cybersecurity rating platform, offers a free version to help you assess and monitor the security posture of your vendors and partners.        

They have a free version which enables you to monitor your organisations external footprint for ever at no cost.?

More Info available here: visit https://securityscorecard.com        

Resource

For SMBs and really anyone for that matter juggling limited resources, the SMB 1001 Framework offers clear, actionable guidance on managing cybersecurity risks.

Why it’s valuable:

• Improved cybersecurity practices and protection against cyber threats and scams.
• Increased trust and confidence from customers and partners
• Competitive advantage when bidding for contracts that require cybersecurity certification.
• Better preparedness for complying with other cybersecurity standards and regulations. ?
• SMB1001 is designed to be more affordable and easier for SMBs to adopt compared to other standards like ISO/IEC 27001 and Provides a pathway to ISO27001 in the future.
• Helps you prioritise cybersecurity investments effectively.

Start here: https://dsi.org/smb1001

Implementing even a basic framework can demonstrate your commitment to safeguarding client data and regulatory compliance.

Quote

"The best way to spread Christmas cheer is singing loud for all to hear."? –?Will Ferrell,?Elf